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DETAILED ACTION 
Response to Amendment 
This office action is in response to amendment filed on 02/10/2005. Original application 
contained Claims 1-26, The amendment filed on 02/10/05 have been entered and made of 
record. Therefore, presently pending claims are 1-26. 

Response to Arguments 

Applicant's arguments filed 02/10/05 have been fiiUy considered but they are not 
persuasive because of following reasons. 

Applicant argued that there is not teaching whatsoever of transmitting the packet to an 
inspection module in Dutta. This is not found persuasive. In response to applicant's argument 
that the references fail to show certain features of applicant's invention, it is noted that the 
features upon which applicant reUes (i.e., transmitting the packet to an inspection module) are 
not recited in the rejected claim(s). Although the claims are interpreted in light of the 
specification, Umitations from the specification are not read into the claims. See In re Van 
Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 

In response to applicant's argument that the references fail to show certain features of 
applicant's invention, it is noted that the features upon which appUcant relies (i.e., separate 
modules for providing different tests) are not recited in the rejected claim(s). Although the 
claims are interpreted in light of the specification, limitations from the specification are not read 
into the claims. See In re Van Geuns, 988 F.2d 1 181, 26 USPQ2d 1057 (Fed. Cir, 1993). 
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The applicant argues further that there is not mention of new modules that may be loaded 
during execution of the firewall process. The module that is loaded during the execution of the 
firewall process is the pertinent rule that is fetched and processed in the section that is quoted by 
the applicant (column 5 lines 1-12). 

The applicant argues further that there is no mention anywhere in the O'Brien document 
of modules that monitor packets being sent between systems. This is not persuasive. In response 
to applicant's argument that the references fail to show certain features of appUcant's invention, 
it is noted that the features upon which applicant relies (i.e., modules that monitor packets being 
sent between systems) are not recited in the rejected claim(s). Although the claims are 
interpreted in light of the specification, limitations from the specification are not read into the 
claims. See /w re VanGeuns, 988 F.2d 1181, 26USPQ2d 1057 (Fed. Cir. 1993). 

In response to appUcant's argument that there is no suggestion to combine the references, 
the examiner recognizes that obviousness can only be established by combining or modifying the 
teachings of the prior art to produce the claimed invention where there is some teaching, 
suggestion, or motivation to do so found either in the references themselves or in the knowledge 
generally available to one of ordinary skill in the art. See/w re Fine, 837 F,2d 1071, 5 
USPQ2d 1596 (Fed. Cir. 1988)and In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992). 
In this case, the knowledge is generally available to one of ordinary skill in the art. 

In reference to claim 6, in response to applicant's argument that the references fail to 
show certain features of applicant's invention, it is noted that the features upon which applicant 
relies (i.e., s firewall core that monitors a memory for inspection modules that are loaded into a 
memory during operation of the firewall system) are not recited in the rejected claim(s). 
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Although the claims are interpreted in light of the specification, Umitations from the specification 
are not read into the claims. See In re Van Geuns, 988 F.2d 1 181, 26 USPQ2d 1057 (Fed. Cir. 
1993), 

In response to applicant's argument that there is no suggestion to combine the references, 
the examiner recognizes that obviousness can only be established by combining or modifying the 
teachings of the prior art to produce the claimed invention where there is some teaching, 
suggestion, or motivation to do so found either in the references themselves or in the knowledge 
generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 
USPQ2d 1596 (Fed. Cir. 1988)and In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), 
In this case, the knowledge is generally available to one of ordinary skill in the art. 

In response to apphcant's argument that the references fail to show certain features of 
applicant's invention, it is noted that the features upon which appUcant relies (i.e., module that is 
loaded into a memory monitored by the firewall core during operation of the firewall system) are 
not recited in the rejected claim(s). Although the claims are interpreted in light of the 
specification, limitations from the specification are not read into the claims. See In re Van 
Geuns, 988 F.2d 1 181, 26 USPQ2d 1057 (Fed. Cir. 1993). 

In response to applicant's argument that there is no suggestion to combine the references, 
the examiner recognizes that obviousness can only be established by combining or modifying the 
teachings of the prior art to produce the claimed invention where there is some teaching, 
suggestion, or motivation to do so found either in the references themselves or in the knowledge 
generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 



Application/Control Number: 09/504,005 Page 5 

Art Unit: 2135 

USPQ2d 1596 (Fed. Cir. 1988)and In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir 1992), 
In this case, the knowledge is generally available to one of ordinary skill in the art. 

The examiner asserts that Dutta and O'Brien does teach or suggest the subject matter 
broadly recited in independent Claims 1, 6, 10, 15, 21. Dependent Claims 2-5, 7-9, 1 1, 13-14, 
16-17, 19-20, 22-23, and 25-26 are also rejected at least by virtue of their dependency on 
independent claims and by other reason set forth in this office action. Accordingly, rejections for 
claims 1-11, 13-17, 19-23, and 25-26 are respectfully maintained. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

1. Claims 1-26 are rejected under 35 U.S.C. 103(a) as being unpatentable over Dutta (U.S. 
Patent 6,574,666 Bl) in view of O'Brien et al. (6,658,571 Bl). 

In reference to claim 7, Dutta suggests a firewall device having a plurality of 
communication interfaces, a firewall system comprising: a) a firewall core connected to each 
said communication interface (column 4 lines 63-66); said firewall core configured to receive 
data packets from said interfaces for inspection (column 2 lines 60-65). 

The firewall core utilizes a library of rules that can be downloaded from a database 
(column 3 lines 15-25); therefore Dutta discloses receiving security information from a separate 
subsystem, the database. Dutta does not disclose the separate subsystem consisting of at least 
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one inspection module coupled for communication to said firewall core, said inspection module 
configured to provide protocol inspection of data packets, said inspection module is further 
configured to be installed during the operation of the firewall system. 

However, O'Brien disclose the separate subsystem consisting of at least one inspection 
module coupled for communication to the user space, said inspection module configured to 
provide protocol inspection of data (column 3 lines 39-56), said inspection module is further 
configured to be installed during the operation of the system (column 3 lines 56-64). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use security modules as in O'Brien to provide protocol inspection in the system 
of Dutta. One of ordinary skill in the art would have been motivated to do this because security 
information that is application and resource specific which would reduce the damage that 
malicious software can cause in the event that malicious software is accidentally executed 
without additional hardware, or modification to the individual software applications or the 
underlying operating system. 

In reference to claim 6, Dutta suggests a firewall device having a plurality of 
communication interfaces, a firewall core configured to be coupled to at least one inspection 
module, said firewall core comprising: a communication unit operatively coupled to the 
communication interfaces (column 4 lines 63-66). 

The firewall core in the system of Dutta utilizes a library of rules that can be downloaded 
from a database (column 3 lines 15-25); therefore Dutta discloses receiving security information 
from a separate subsystem, the database. However Dutta does not disclose a set of callback 
functions, retrieved from said inspection module, each said function providing communication 
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between said firewall core and said inspection module. In addition the firewall core disclosed by 
Dutta is not configured to monitor a memory to determine when a new inspection module is 
loaded into said memory (column 5 lines 15-27). 

O'Brien discloses a set of callback fiinctions, retrieved fi*om said inspection module, each 
said function providing communication between the security master and said inspection module 
(column 5 lines 15-27). In addition the system of O'Brien is configured to monitor a memory to 
determine when a new inspection module is loaded into said memory (column 5 hnes 28-46). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Dutta. One of ordinary skill in the art would have been motivated to 
do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 

In reference to claim 10^ Dutta suggests a firewall device having a plurality of 
communication interfaces and a firewall core coupled to the communication interfaces, an 
inspection module to configured to couple with the firewall core, said inspection module 
comprising: a) an inspection unit configured to inspect and authorize data packets (column 5 
lines 1-12), 

The firewall core in the system of Dutta utilizes a library of rules that can be downloaded 
from a database (column 3 lines 15-25); therefore Dutta discloses receiving security information 
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from a separate subsystem, the database. However Dutta does not disclose a set of callback 
functions, retrieved from said inspection module, each said function providing communication 
between said firewall core and said inspection module. In addition the system disclosed by 
O'Brien is configured to monitor a memory to determine when a new inspection module is 
loaded into said memory (column 5 lines 15-27). 

O'Brien discloses a set of callback functions, retrieved from said inspection module, each 
said function providing communication between the security master and said inspection module 
(column 5 lines 15-27). In addition the firewall core disclosed by Dutta is not configured to 
monitor a memory to determine when a new inspection module is loaded into said memory 
(column 5 lines 28-46). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Dutta. One of ordinary skill in the art would have been motivated to 
do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 

In reference to claims 15 and 21, Dutta suggests a firewall device having a firewall 
system including a firewall core, a method for adding protocol knowledge to the firewall system 
during runtime (column 3 lines 14-25). 
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However Dutta does not disclose a) loading an inspection module comprising new 
protocol inspection knowledge and a function table having a set of callback functions; to b) 
notifying the firewall core of said inspection module (column 3 lines 26-33); and c) 
communicating said set of callback functions to said firewall core. 

O'Brien discloses a) loading an inspection module comprising new protocol inspection 
knowledge and a function table having a set of callback functions (column 5 lines 1-27); to b) 
notifying the security master of said inspection module (column 5 lines 12-27); and c) 
communicating said set of callback functions to the security master (column 5 lines 27-45). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Dutta. One of ordinary skill in the art would have been motivated to 
do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 

In reference to claim 2, wherein said inspection module is installed into a memory space 
monitored by said firewall core (Dutta column 4 lines 41-62). 

In reference to claim 5, wherein said inspection module further comprises callback 
functions, said functions communicated to said firewall core and providing communication 
between said firewall core and said inspection module. 
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Dutta does not expressly disclose the use of callback functions which communicate to the 
firewall core and providing communication between the firewall core and said inspection 
module. 

O'Brien discloses a set of callback functions, retrieved from said inspection module, each 
said function providing communication between the security master and said inspection module 
(column 5 lines 15-27) 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Dutta. One of ordinary skill in the art would have been motivated to 
do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 

In reference to claim 4, wherein said inspection module is further configured to indicate 
to said firewall core for which data packets said inspection module is configured to provide 
inspection (Dutta column 4 line 66 to column 5 line 12). 

In reference to claim 5, wherein said data packets intercepted by said firewall core further 
includes session information comprising address and port data, said firewall core further 
configured to map said session information to corresponding inspection modules (Dutta column 
2 Une 60 to column 3 line 5 in combination with column 4 lines 32-50). Packet Filter Router 
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rules are based on address and port information, therefore, the address and port information 
obviously must be contained within the packets. 

In reference to claim 7, wherein said communication unit is further configured to 
intercept network data communicated via said network interfaces (Dutta column 3 lines 46-65). 

In reference to claim 8, further comprising a session mapping unit, said data packets 
intercepted by said firewall core further including session information comprising address and 
port data, said firewall core fiirther configured to map said session information to corresponding 
inspection modules into a session mapping and store said session mapping into said session 
mapping unit (Dutta column 2 line 60 to column 3 line 5 in combination with column 4 lines 32- 
50). Packet Filter Router rules are based on address and port information, therefore, the address 
and port information obviously must be contained within the packets. 

In reference to claim P, wherein said communication unit is further configured to 
communicate packets between said communication interfaces and said inspection module for 
inspection (Dutta column 4 Une 63 to column 5 line 12). 

In reference to claim II, wherein said inspection unit is further configured to be installed 
during the operation of the firewall core. The rules retrieved by the filter processor to update the 
filter processor are retrieved during the operation of the filter processor. 

In reference to claim 13, the firewall system of claim 1, wherein said inspection module 
is further configured to indicate to said firewall core for which data packets said inspection 
module is configured to provide inspection (Dutta column 5 lines 1-12). 

In reference to claim 14, where in said inspection unit is further configured to receive and 
inspect packets communicated from the firewall core (Dutta column 5 lines 5-12). 
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In reference to claim 16 and 22, further comprising enabling said inspection module, 
prior to communicating-said set of callback function to said firewall core. The new information 
is used to filter packets therefore the new rules, provided by the filter processor, are in an 
enabled state similar to the state of the inspection module. 

In reference to claim 17 and 23, further comprising inspecting of packets by said 
inspection module, said packets communicated fi"om the firewall core to said inspection module 
(Dutta column 5 lines 1-12). 

In reference to claim 19 and 25, wherein said notifying the firewall core comprises 
transmitting a signal to the firewall core to indicate the installation of said inspection module 
(Dutta column 3 lines 25-32). 

In reference to claim 20 and 26, further comprising indicating by said inspection module 
for which data packets said inspection module provides inspection (Dutta column 5 Unes 1-12). 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a), 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS fi"om the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event. 
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however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Paula W. KUmach whose telephone number is (571) 272-3854. 
The examiner can normally be reached on Mon to Thr 9:30 a.m to 5:30 p.m. 

If attempts to reach the examiner by telephone are unsuccessftil, the examiner's 
supervisor, Kim Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for pubUshed apphcations 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
apphcations is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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